On Mon, 30 Dec 2013, Chris Smith wrote:
> From: Chris Smith <obsd_m...@chrissmith.org>
> To: OpenBSD-Misc <misc@openbsd.org>
> Date: Mon, 30 Dec 2013 17:10:10
> Subject: unbound dnssec revisited
>
> I've been working on using dnssec with the unbound package and viewing
> some of the threads here on the list regarding this.
>
> Enabling autotrust and the validator module in unbound.conf and
> running unbound-anchor before starting unbound will enable dnssec but
> eventually will log errors of:
>
> could not open autotrust file for writing
>
> This is apparently because the _unbound user or group does not have
> write privileges to the directory, running unbound-anchor with "sudo
> -u _unbound" doesn't change the directory perms.
>
> I'm using the following diff to make this all work (you can all
> probably improve on it, and please do):
>
> ===================================================
> --- unbound.orig Mon Dec 30 11:03:51 2013
> +++ unbound Mon Dec 30 11:38:19 2013
> @@ -8,6 +8,14 @@
> . /etc/rc.d/rc.subr
>
> pexp="unbound${daemon_flags:+ ${daemon_flags}}"
> +
> +autotrust() {
> + chgrp _unbound "/var/unbound/etc"
> + chmod 775 "/var/unbound/etc"
> + sudo -u _unbound /usr/local/sbin/unbound-anchor
> + wait
> +}
> +
> rc_reload=NO
>
> rc_pre() {
> @@ -16,6 +24,7 @@
> -f /var/unbound/etc/unbound_control.pem ]]; then
> unbound-control-setup >/dev/null 2>&1
> fi
> + autotrust
> }
>
> rc_start() {
> ===================================================
>
> If the autotrust function is run (it can be commented out if desired)
> it retrieves the root.key and gives the _unbound group write
> privileges to the /var/unbound/etc directory thereby preventing the
> above log errors.
...
It's a while since I looked at this, so the exact details are hazy,
but is all this necessary?
When it's up and running, unbound will probe for a new root
key at intervals. This is indicated in the manual entry for
auto-trust-anchor-file in unbound.conf(5) which also states:
The file is written to when the anchor is updated, so the unbound
user must have write permission.
unbound also requires write permission on the containing directory.
Certainly make sense for unbound to check the root key periodically.
unbound is potentially a very long running process on a server.
So all I did was run unbound-anchor once to create the root key in a
separate directory. I then changed the ownership of the directory
and the root key file to the unbound user. Seems to work; switching
on this laptop for the first time since early this morning resulted
in:
poulidor $ pwd
/var/unbound/etc
poulidor $ ls -ld autokey/
drwxr-xr-x 2 _unbound _unbound 512 Dec 31 19:18 autokey/
poulidor $ ls -l autokey/
total 4
-rw-r--r-- 1 _unbound _unbound 759 Dec 31 19:18 root.key
poulidor $ cat autokey/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1388517505 ;;Tue Dec 31 19:18:25 2013
;;last_success: 1388517505 ;;Tue Dec 31 19:18:25 2013
;;next_probe_time: 1388557610 ;;Wed Jan 1 06:26:50 2014
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
;;lastchange=1326728235 ;;Mon Jan 16 15:37:15 2012
poulidor $
so unbound checked the root key and put a date stamp in the root
key file indicating when this was done. And a further date stamp
indicating when the next check is due.
Doesn't seem to me that you need to run unbound-anchor as a part of
/etc/rc.d/unbound. You just need to run it once as part of setting
up unbound. After that a running unbound will periodically check
the root key.
--
Dennis Davis <dennisda...@fastmail.fm>
